Cracked Passwords List Leaked, were you cracked? - page 5.

gentakin

member

Activity: 98

Merit: 10

Quote from: bitcoin0918 on June 28, 2011, 12:04:20 PM

I set my password to my bitcoin address. What could be more secure than that?! Grin

Now that you've publicly stated this, it should be trivial to get a tool up that searches the block chain for bitcoin addresses and attempts to crack your password with each of them. Wink

bitcoin0918

newbie

Activity: 70

Merit: 0

I set my password to my bitcoin address. What could be more secure than that?! Grin

bitcon

legendary

Activity: 2212

Merit: 1008

they got mine too.. wonder what percentage of this list even realize that their passwords are floating around on the internet for everyone to see.. thats a lot of passwords.

darbsllim

sr. member

Activity: 297

Merit: 251

Founder, Filmmaker, Fun Guy

Some of these people with complex passwords could have fallen for the fake mtgox emails

DamienBlack

jr. member

Activity: 56

Merit: 1

I can verify that 7XiBKeJe5ochSqVW is in fact the correct password, he was unsalted, and using "simple" md5. I cannot verify the salted passwords, they seem to be a different type of md5 then I am using. Why are there two different types of md5, and what do I call the second one?

aral

newbie

Activity: 42

Merit: 0

Quote from: xenon481 on June 28, 2011, 11:47:32 AM

The throwaway password I used on a throwaway mtgox account is not in the list. It was only 7 characters long with uppercase letters and numbers.

ditto

i had no money in it, never have had

i think it's weird though if they managed to make a list of active users. what does that imply?

sturle

legendary

Activity: 1437

Merit: 1002

https://bitmynt.no

Quote from: bitcoin0918 on June 28, 2011, 11:03:46 AM

The fact that a password is in this list doesn't imply that it was cracked. As finack said, the complex passwords were probably stolen by some other means - e.g. phishing - and happened to be reused.

Yep. This is definetly a wordlist crack from both mangled words and leaked or phished passwords from other sites. I can say that with 100% certainty because my own password isn't on the list. My old Mt.Gox password was set for testing the new exchange at a time when a bitcoin was worth a few cents. I used it on BBSes in the eighties, and it is very far from secure to modern standards. Not even the nineties standard, I'd say.

bitcoin0918

newbie

Activity: 70

Merit: 0

Quote from: Saturn7 on June 28, 2011, 11:36:35 AM

Quote from: bitcoin0918 on June 28, 2011, 11:31:24 AM

Quote from: Saturn7 on June 28, 2011, 11:17:07 AM

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month Shocked

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

Yes but this spreadsheet assumes only 17 billion per hour not 41 Trillion.

No you dolt! I took their number for total combinations, and divided it by your password test rate, to determine the amount of time necessary. You could have seen this yourself by actually looking at the numbers, rather than just seeing something that didn't make sense and assuming that was the explanation.

bitcoin0918

newbie

Activity: 70

Merit: 0

Quote from: Isepick on June 28, 2011, 11:33:11 AM

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password Tongue

Well, aside from *MAGIC*, by what other method do you believe those passwords were determined?

xenon481

sr. member

Activity: 406

Merit: 250

The throwaway password I used on a throwaway mtgox account is not in the list. It was only 7 characters long with uppercase letters and numbers.

SgtSpike

legendary

Activity: 1400

Merit: 1005

Quote from: Saturn7 on June 28, 2011, 11:17:07 AM

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month Shocked

I think the days of "passwords" you type with a keyboard are over.

It'd take 4 months to crack a 10-char alphanumeric password. I don't think the days of "passwords" you type with a keyboard are over.

That said, how did so many of these passwords get cracked so quickly, if it should take centuries to crack some of them based on length? Were that many people really idiots enough to visit the phishing sites sent in the spam emails?

EDIT: Also, mine was not cracked.

DamienBlack

jr. member

Activity: 56

Merit: 1

I wonder if people who aren't cracked, but are reporting that they have easy-ish passwords are people who had very little in their account. Is there any information about whether our account balances were available?

finack

member

Activity: 126

Merit: 10

The thing is that plenty of people here have reported having weak-ish passwords (including myself) that they didn't crack, so a large cracking network or optimized algs don't explain them.

Has anyone actually checked one of the hashes for one of the strong passwords and confirmed it's correct? Could just be someone fucking around.

If they are legit, they have to have come from another source than just cracking. Either they were pre-cracked or phished or the publisher had access to the passwords some other way.

DamienBlack

jr. member

Activity: 56

Merit: 1

Quote from: bitcoin0918 on June 28, 2011, 11:31:24 AM

Quote from: Saturn7 on June 28, 2011, 11:17:07 AM

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month Shocked

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

Deepbit could crack a 10 char password every three seconds.

Saturn7

full member

Activity: 147

Merit: 100

Quote from: bitcoin0918 on June 28, 2011, 11:31:24 AM

Quote from: Saturn7 on June 28, 2011, 11:17:07 AM

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month Shocked

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

Yes but this spreadsheet assumes only 17 billion per hour not 41 Trillion.
And thats just 3 cards, if somebody really wanted to go all out and have 30 cards then who knows.
Might open up a black hole in you PC LOL

DamienBlack

jr. member

Activity: 56

Merit: 1

Quote from: Isepick on June 28, 2011, 11:33:11 AM

A random selection of some of the more secure looking passwords:

60x8760b6k328vc3v24kw8y1
Y!m4g6s3j*
Ev3rL@NRDX11090821
b1Ackb0x3!1
8W3G7Pds9712++
c65b5DF488
mgq$jc)kw3
w@chtw00rdLanimret!
acy7zkprddv2k3iFd&
VeryStrongPassword

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password Tongue

I also doubt that all of these were phished. But if they weren't, a network about 1% as large as the bitcoin network must have been pointed at cracking them.

Isepick

full member

Activity: 180

Merit: 100

A random selection of some of the more secure looking passwords:

60x8760b6k328vc3v24kw8y1
Y!m4g6s3j*
Ev3rL@NRDX11090821
b1Ackb0x3!1
8W3G7Pds9712++
c65b5DF488
mgq$jc)kw3
w@chtw00rdLanimret!
acy7zkprddv2k3iFd&
VeryStrongPassword

I doubt that these and the many more that are on there 1) got phished and 2)wound up on this particular list at the same time. Well, except for the last guy. Though I do suppose that is an upgrade to using 'password' for a password Tongue

bitcoin0918

newbie

Activity: 70

Merit: 0

Quote from: Saturn7 on June 28, 2011, 11:17:07 AM

A 5870 can do 3.8 Billion password combinations a second.

If you have 3 of them in your system like most miners do, thats 11.4 Billion per second

684 Billion per Minute
41 Trillion per Hour
984 Trillion per day (24 hours)
6.8 Quadrillion per week
210 Quadrillion per Month Shocked

I think the days of "passwords" you type with a keyboard are over.

Even with those numbers, it would take on average a week to crack a purely random 8-character combination of alphanumeric/special characters. If that number is raised to 10, it's 21 years, according to this spreadsheet calculator.

DamienBlack

jr. member

Activity: 56

Merit: 1

Quote from: proudhon on June 28, 2011, 11:29:43 AM

Wait, what is this? Is this the MtGox database?

Yes

proudhon

legendary

Activity: 2198

Merit: 1311

Wait, what is this? Is this the MtGox database?

Topic: Cracked Passwords List Leaked, were you cracked? - page 5. (Read 16402 times)